ADVICE FROM A CYBERSECURITY TACTICIAN

A Massive Rift in an Organization’s Cybersecurity Defenses: Overlooking the Importance of Leadership

In today’s day and age, leadership is pivotal but often overlooked in cybersecurity.

But why? I propose it is the belief that an executive cybersecurity leader, particularly the Chief Information Security Officer (CISO), should be very technical, to the point of being a skilled practitioner. Jennifer Laidlaw, a leading talent development consultant, noted:

I think in tech, we tend to forget that leadership is people-focused. Many folks in tech fall into a set of strengths centered around data and process and not strengths around relationships and EQ (emotional intelligence).

That resonated with me, for it is what I have witnessed. I recommend we take another look at leadership in cybersecurity and tackle it from a different angle, with more focus on one’s proven leadership ability. How do you do that? You evaluate cybersecurity leaders using additional criteria, not just technical ability. Here are the three benchmarks you should use when selecting an executive cybersecurity leader, listed in the order of importance -

1. Demonstrates the Proven Ability to Lead

First and foremost, does this person possess the ability to lead and galvanize a team around a cause? Can they build a team? Can this person orchestrate an effective defense posture against an attack? These are all questions you should be asking. Not, “Does this person have the technical know-how?” Don’t get me wrong, having a technical proclivity is important (so much so, it made my list in the 3rd slot), but it takes a back seat to leadership ability.

Whether it be a persistent nation-state threat that is years and millions of dollars in the making or a brazen fraudster targeting your less savvy users, the threats are ever-present and constantly evolving. Due to this fact, one person can’t solve all of the issues independently; they require a team of people, hence necessitating finding someone who can effectively lead your cybersecurity team.

There are countless leadership theories in play. An article in Harvard Business Review covers six fundamental skills every leader should practice. Start here. In summary, the skills are:

1. Shape a vision that is exciting and challenging
2. Translate that vision into a clear strategy
3. Recruit, develop, and reward
4. Focus on measurable results
5. Foster innovation and learning
6. Lead yourself

When you are evaluating your next cybersecurity executive, determine if the person has those six skills. “How?” — Do you ask? Have them prove it with:

1. In-depth situational examples
2. Ensure they have held past positions where these skills have been tested
3. Ask the candidate’s references to provide you with first-hand experiences

If the applicant demonstrates they have these leadership skills, you have a viable candidate.

2. Embodies Your Organization’s Culture

The next question should be: “Does this person fit our organization’s culture?” Keep in mind that this is not a debate of your company culture or what it could be, but what it is today. Suppose you are looking to change your organizational culture for the better; that is another conversation (but a worthy one). For this article, let’s assume that is not a factor.

A common fallacy is if a person is successful in one environment, said person will be successful in every environment. This is a common misconception. It explains why you see NCAA college football coaches lead one team to a National Championship but struggle when they shift to another program.

You have to ensure leaders are in line with organizational culture. If not, you’ll have interpersonal conflict, greater levels of job dissatisfaction, and loss of top talent–All leading to an unstable team, and in turn, adversely affecting cybersecurity defenses.

Finding the right leader that can complement the existing team is often overlooked. An article by O.C. Tanner covers this in far greater detail. Simply put, leaders set the tone for organizational culture. They can make or break it. Having your cybersecurity leader in line with your organization’s culture is critical.

3. Possesses a Deep Technical Proclivity

Finally, you need your executive cybersecurity leader to have a technical proclivity. The leader has to understand the technical cybersecurity challenges the organization faces today and in the future.

This could take on many forms. They could have spent years as a software engineer, network administrator, database administrator, or other technical but non-cybersecurity roles then promoted into leadership. The person could have even been a computer science professor, jumped into the private sector, risen the ranks, and is now a top candidate for a CISO role. There are countless other scenarios, but in all of these situations, the person has shown a propensity for technical thinking.

Now, the person in question needs to have experience in cybersecurity in some capacity. That might mean they led a cybersecurity team, built a cybersecurity program, or obtained various cybersecurity certifications. However, you don’t need 30 years of cybersecurity experience with multiple certifications to do the job. Remember, the primary focus should be on the person’s ability to lead. That person will build and lead a team consisting of others who specialize in all the needed areas that are warranted, given your organization’s threat landscape.

Today, if every organization focused on these three areas when selecting their next CISO, they would be far better protected against cyber threat adversaries. One person can’t do it alone, which is why you need someone that can build a team, but not just an internal team. They will need to develop partnerships, build collaborations across industries (even spanning into the public sector), and involve outside experts. There is too much on the line in today’s cyber, threat-ladened world for anything less.